SearchGuard + SSO + Kibana (5)
303 views
Skip to first unread message
Mariusz Derela
Jan 30, 2017, 1:34:02 PM1/30/17
to Search Guard
Hi team
I am playing with SG and I've noticed some issues related with SSO/XFF. Could someone help me to dispel my doubts?
Below you can find my current configuration:
sg_action_groups.yml: |- ALL: - "indices:*" MANAGE: - "indices:monitor/*" - "indices:admin/*" CREATE_INDEX: - "indices:admin/create" - "indices:admin/mapping/put" MANAGE_ALIASES: - "indices:admin/aliases*" MONITOR: - "indices:monitor/*" DATA_ACCESS: - "indices:data/*" - "indices:admin/mapping/put" WRITE: - "indices:data/write*" - "indices:admin/mapping/put" READ: - "indices:data/read*" DELETE: - "indices:data/write/delete*" CRUD: - READ - WRITE SEARCH: - "indices:data/read/search*" - "indices:data/read/msearch*" - SUGGEST SUGGEST: - "indices:data/read/suggest*" INDEX: - "indices:data/write/index*" - "indices:data/write/update*" - "indices:admin/mapping/put" # no bulk index GET: - "indices:data/read/get*" - "indices:data/read/mget*" # CLUSTER CLUSTER_ALL: - cluster:* CLUSTER_MONITOR: - cluster:monitor/* CLUSTER_COMPOSITE_OPS_RO: - "indices:data/read/mget" - "indices:data/read/msearch" - "indices:data/read/mtv" - "indices:data/read/coordinate-msearch*" - "indices:admin/aliases/exists*" - "indices:admin/aliases/get*" CLUSTER_COMPOSITE_OPS: - "indices:data/write/bulk" - "indices:admin/aliases*" - CLUSTER_COMPOSITE_OPS_RO KIBANA_SERVER: - indices:admin/exists* - indices:admin/mapping/put* - indices:admin/mappings/fields/get* - indices:admin/refresh* - indices:admin/validate/query* - indices:data/read/get* - indices:data/read/mget* - indices:data/read/search* - indices:data/write/delete* - indices:data/write/index* - indices:data/write/update* KIBANA_USER: - indices:data/read* - indices:admin/mappings/fields/get* - indices:admin/validate/query* - indices:admin/get* sg_config.yml: |- searchguard: dynamic: http: anonymous_auth_enabled: false xff: enabled: true internalProxies: '.*' # trust all internal proxies, regex pattern remoteIpHeader: 'x-forwarded-for' proxiesHeader: 'x-forwarded-by' trustedProxies: '.*' # trust all external proxies, regex pattern authc: proxy_auth_domain: enabled: true order: 1 http_authenticator: type: proxy challenge: false config: user_header: "x-proxy-user" roles_header: "x-proxy-roles" authentication_backend: type: noop basic_internal_auth_domain: enabled: true order: 2 http_authenticator: type: basic challenge: false authentication_backend: type: intern sg_internal_users.yml: |- smdt: hash: $2a$12$MI8K2df5.mN/RulK9oyzG.grdveeiaujppUqMybHbVhnr5uvP59Gi #password is: admin ingestion: hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2 #password is: logstash npaboss: hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H. npa1: hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H. npa2: hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H. kibanaserver: hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H. sg_roles.yml: |- sg_all_access: cluster: - '*' indices: '*': '*': - '*' sg_transport_client: cluster: - cluster:monitor/nodes/liveness - cluster:monitor/state sg_kibana_server: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?kibana': '*': - ALL sg_logstash: cluster: - indices:admin/template/get - indices:admin/template/put - indices:data/write/bulk* - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '*': '*': - CRUD - CREATE_INDEX '*beat*': '*': - CRUD - CREATE_INDEX sg_role_boss: cluster: - '*' indices: '*': '*': - KIBANA_USER - '*' '?kibana': '*': - KIBANA_SERVER sg_role_1: cluster: - indices:admin/template/get - indices:admin/template/put - indices:data/write/bulk* - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '*-1-*': '*': - KIBANA_USER - ALL '?kibana*': '*': - KIBANA_SERVER - ALL sg_role_2: cluster: - indices:admin/template/get - indices:admin/template/put - indices:data/write/bulk* - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '*-2-*': '*': - KIBANA_USER - ALL '?kibana*': '*': - KIBANA_SERVER - ALL sg_roles_mapping.yml: |- sg_logstash: users: - ingestion sg_kibana_server: users: - kibanaserver sg_all_access: users: - smdt sg_role_boss: users: - npaboss sg_role_1: users: - npa1 sg_role_2: users: - npa2
My goal is to set nginx as a reverse proxy :
server { listen 8080 ssl; server_name kibana-1.example.org ; ssl_certificate /etc/secrets/cert; ssl_certificate_key /etc/secrets/key; ssl_session_cache shared:ssl:1m; error_log /var/log/nginx/error.log debug; auth_ldap "forbidden"; auth_ldap_servers GROUP1; location / { proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_set_header x-real_p $remote_addr; proxy_set_header x-proxy-user "npa1"; proxy_set_header x-proxy-roles "sg_role_1"; proxy_set_header host $http_host; proxy_redirect off; proxy_pass https://kibana:5601/; } } server { listen 8080 ssl; server_name kibana-2.example.org ; ssl_certificate /etc/secrets/cert; ssl_certificate_key /etc/secrets/key; ssl_session_cache shared:ssl:1m; error_log /var/log/nginx/error.log debug; auth_ldap "forbidden"; auth_ldap_servers GROUP2; location / { proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_set_header x-real_p $remote_addr; proxy_set_header x-proxy-user "npa2"; proxy_set_header x-proxy-roles "sg_role_2"; proxy_set_header host $http_host; proxy_redirect off; proxy_pass https://kibana:5601/; } }
Direct access to ELK works fine:
curl -XGET -k 'https://es-master:9200/_searchguard/authinfo?pretty=true' -v -H "x-proxy-user: npa1" -H "x-proxy-roles: sg_role_1" -H "x-forwarded-for: 192.168.1.1"
{
"user" : "User [name=npanl, roles=[sg_role_1]]",
"remote_address" : "192.168.1.21:37374",
"sg_roles" : [
"sg_role_1"
],
"principal" : null,
"peer_certificates" : "0"
}I am able to ask for the data in index *-1-* as well (on port 9200).
I have only issue with kibana... I am not able to use index discovery. I can login to the kibana (dump from the logs):
{"type":"response","@timestamp":"2017-01-30T18:27:02Z","tags":[],"pid":1,"method":"get","statusCode":404,"req":{"url":"/elasticsearch/logstash-*/_mapping/field/*?_=1485800822220&ignore_unavailable=false&allow_no_indices=false&include_defaults=true","method":"get","headers":{"x-forwarded-for":"10.131.0.1","x-real_p":"10.131.0.1","x-proxy-user":"npa1","x-proxy-roles":"sg_role_1","host":"kibana-1.example.net","connection":"close","accept":"application/json,text/plain, */*","kbn-version":"5.1.2","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/53.0.2785.21 Safari/537.36MMS/1.0.2459.0","referer":"https://kibana-ccert.yoda.pl.ing.net/app/kibana","accept-encoding":"gzip, deflate, sdch,br","accept-language":"en-US,en;q=0.8"},"remoteAddress":"10.131.0.1","userAgent":"10.131.0.1","referer":"https://kibana-1.example.net/app/kibana"},"res":{"statusCode":404,"responseTime":6,"contentLength":9},"message":"GET/elasticsearch/logstash-*/_mapping/field/*?_=1485800822220&ignore_unavailable=false&allow_no_indices=false&include_defaults=true404 6ms - 9.0B"}
So far so good. However when I tried to use "Configure pattern":
Any idea?
SG
Jan 31, 2017, 7:36:35 AM1/31/17
to search...@googlegroups.com
First of all: Which exact Search Guard and which exact Elasticsearch/Kibana version you are using?
If you use Kibana 5 you must whitelist your headers in kibana.yml (x-proxy-user, x-proxy-roles, x-forwarded-for)
Please provide also logs on DEBUG level from your elasticsearch node (elasticsearch.log)
> Any idea?
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/db8d7566-16cb-4f08-9691-3dee058f4a23%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
If you use Kibana 5 you must whitelist your headers in kibana.yml (x-proxy-user, x-proxy-roles, x-forwarded-for)
Please provide also logs on DEBUG level from your elasticsearch node (elasticsearch.log)
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/db8d7566-16cb-4f08-9691-3dee058f4a23%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages